Shock horror, I will say it, cyber security in the United Kingdom sucks! From small enterprise to giant enterprise and even central government.
Let’s start off with trains, the first trains were in the United Kingdom and everyone followed. Now our trains are expensive, often late and there are constant track engineering works (the same with “imaginary” roadworks on motorways aka the 50 limit). In the 21st century the rest of Europe has trains which are often faster, cheaper and more reliable. Metro tickets in Spain and Greece are a fraction of the cost of what you pay in London and the service is as good or better.
Cyber security is a newish topic though before cyber security was a buzz word it went by many names: information security, data security, network security, IT security and computer security. All mean the same or different thing depending on your point of view. Today cyber security is an all-encompassing word. Over five years ago no one was really interested in cyber security or its predecessor words apart from banks and central government (partly).
Trains have been around for over a century and have been perfected over time. Technology has existed in its modern form for three decades or so with security for a lot less. There are plenty of people with computer science degrees or people with general technology experience but not many with cyber security experience. It will take years to train up people currently in technology or to train people straight from university, college or sixth form.
Over the last fourteen years I have seen all sorts at a variety of types of organisations. Yes, I am nosey, I ask the tough questions and look around. I am not your average “security assurance officer” who ticks a few boxes and arranges a pen test, only to risk accept most findings. I am more deep and stricter than most. Annoying some would call me for the detail (technical controls) I specify or the stupid security holes I find.
Even in 2018 as a cyber security trainer I still constantly see poor examples at organisations you would not imagine. The exact stories and names will remain anonymous of course. They go on the lines of no USB stick control, zero firewalling done at the network and/or application layer, and little two factor authentication still not being rolled out. These examples are not five years ago but in late 2018 here in Blighty. Think my stories are bad? Jump to outside of the West…
Yes, the United Kingdom’s cyber security maybe “developed” for a new topic which does not mean it is perfect, far from it. Look at outside of the “West”, i.e. France, Germany, United States, Canada, Israel etc. and it is far worse. So bad in fact a kid in his/her parents’ bedroom could hack an entire continent with little effort. Now I am talking about outside of Europe though some countries would not be hard to hack within Europe (E.U included).
The fix?
Frameworks/compliance/law: numerous organisations I have seen have 9001, 27001 and more are poorly secured. The auditor only inspects a small percentage of documents & technical control and very often his/her auditing skills are theoretical than technical. I.e. Does having a antimalware standard document and rolling out bog standard endpoint defences meet a 27001 point? Likely but would it impress me? No. Go beyond “paper-based defence” and implement lower level defences not just the minimum to tick a box and win a contract.
Teaching/training: Many 30+ year olds say the young only start learning at work not university. Numerous degrees and private courses teach offence because it is more glamorous. True detailed technical defensive skills are needed. Often an excellent offensive person cannot do defence very well. This is the same with GRC individuals, it is hard to be deeply technical in defence as well as great at GRC. Students should be taught what they need to know, not the detailed history and theory behind something. As a fellow trainer says, “I did not care at school what some man did 10,000 years ago!”. Teaching/training needs to be fun and practical as many people learn better that way.
Management: even with the best cyber security folk in your organisation, good interested management is needed to assist. What in reality drives or does not drive everything? Cash (and time)! Many projects and programmes get zero security input or at times even a basic pen test. For those projects/programmes which do, higher management often want to get the project completed by x date regardless of its stability or security posture. A simple quick pen test selected by the cheapest quote at the end does not suffice in my view but sadly I have seen this on countless projects. Management needs to allocate fair resources and budgets to cyber security folk.